Document the variables used by chpasswd. The definitions are copied from

login.defs. I should try to use a less error prone process for this.
2007-11-23 19:58:10 +00:00 · 2007-11-23 19:58:10 +00:00 · f0ccf72107
commit f0ccf72107
parent d316ba1b87
2 changed files with 122 additions and 0 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2007-11-22  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* man/chpasswd.8.xml: Document the variables used by chpasswd.
+	The definitions are copied from login.defs. I should try to use a
+	less error prone process for this.
+
 2007-11-22  Nicolas François  <nicolas.francois@centraliens.net>

 	* man/login.defs.5.xml: Use <replaceable> for the values set by
--- a/man/chpasswd.8.xml
+++ b/man/chpasswd.8.xml
@ -128,6 +128,122 @@
    </para>
  </refsect1>

+  <refsect1 id='configuration'>
+    <title>CONFIGURATION</title>
+    <para>
+      The following configuration variables in
+      <filename>/etc/login.defs</filename> change the behavior of this
+      tool:
+    </para>
+    <!--********************************************************************
+      **                                                                  **
+      **             Definitions copied from login.def.5.xml              **
+      **                                                                  **
+      ********************************************************************-->
+    <variablelist>
+      <varlistentry>
+	<term><option>MD5_CRYPT_ENAB</option> (boolean)</term>
+	<listitem>
+	  <para>
+	    Indicate if passwords must be encrypted using the MD5-based
+	    algorithm. If set to <replaceable>yes</replaceable>, new
+	    passwords will be encrypted
+	    using the MD5-based algorithm compatible with the one used by
+	    recent releases of FreeBSD. It supports passwords of
+	    unlimited length and longer salt strings. Set to
+	    <replaceable>no</replaceable> if you
+	    need to copy encrypted passwords to other systems which don't
+	    understand the new algorithm. Default is
+	    <replaceable>no</replaceable>.
+	  </para>
+	  <para>
+	    This variable is superceded by the
+	    <option>ENCRYPT_METHOD</option> variable or by any command
+	    line option.
+	  </para>
+	  <para>
+	   This variable is deprecated. You should use
+	   <option>ENCRYPT_METHOD</option>.
+	  </para>
+	  <para>
+	    Note: if you use PAM, it is recommended to set this variable
+	    consistently with the PAM modules configuration.
+	  </para>
+	</listitem>
+      </varlistentry>
+      <varlistentry>
+	<term><option>ENCRYPT_METHOD</option> (string)</term>
+	<listitem>
+	  <para>
+	    This defines the system default encryption algorithm for
+	    encrypting passwords (if no algorithm are specified on the
+	    command line).
+	  </para>
+	  <para>
+	    It can take one of these values:
+	    <itemizedlist>
+	      <listitem>
+		<para><replaceable>DES</replaceable> (default)</para>
+	      </listitem>
+	      <listitem>
+		<para><replaceable>MD5</replaceable></para>
+	      </listitem>
+	      <listitem>
+		<para><replaceable>SHA256</replaceable></para>
+	      </listitem>
+	      <listitem>
+		<para><replaceable>SHA512</replaceable></para>
+	      </listitem>
+	    </itemizedlist>
+	  </para>
+	  <para>
+	    Note: this parameter overrides the
+	    <option>MD5_CRYPT_ENAB</option> variable.
+	  </para>
+	  <para>
+	    Note: if you use PAM, it is recommended to set this variable
+	    consistently with the PAM modules configuration.
+	  </para>
+	</listitem>
+      </varlistentry>
+      <varlistentry>
+	<term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term>
+	<term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term>
+	<listitem>
+	  <para>
+	    When <option>ENCRYPT_METHOD</option> is set to
+	    <replaceable>SHA256</replaceable> or
+	    <replaceable>SHA512</replaceable>, this defines the number of
+	    SHA rounds used by the encryption algorithm by default (when
+	    the number of rounds is not specified on the command line).
+	  </para>
+	  <para>
+	    With a lot of rounds, it is more difficult to brute forcing
+	    the password. But note also that more CPU resources will be
+	    needed to authenticate users.
+	  </para>
+	  <para>
+	    If not specified, the libc will choose the default number of
+	    rounds (5000).
+	  </para>
+	  <para>
+	    The values must be inside the 1000-999999999 range.
+	  </para>
+	  <para>
+	    If only one of the <option>SHA_CRYPT_MIN_ROUNDS</option> or
+	    <option>SHA_CRYPT_MAX_ROUNDS</option> values is set, then this
+	    value will be used.
+	  </para>
+	  <para>
+	    If <option>SHA_CRYPT_MIN_ROUNDS</option> &gt;
+	    <option>SHA_CRYPT_MAX_ROUNDS</option>, the highest value will
+	    be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1 id='files'>
    <title>FILES</title>
    <variablelist>